我使用 strip_tags 来确保在保存字符串之前删除每个 HTML 标签。 现在我遇到的问题是,没有任何结束标签的单个
<
也被删除了。
现在的想法是用匹配的 HTML 实体 <
替换每个 <
我有一个正则表达式,但它只替换了第一个发现,知道如何调整它吗?
这是我现在得到的正则表达式:
preg_replace("/<([^>]*(<|$))/", "<$1", $string);
我想要这个:
<p> Hello < 30 </p> < < < <!-- Test --> <> > > >
成为第一个
preg_replace(REGEX, REPLACE, $string)
:
<p> Hello < 30 </p> < < < <!-- Test --> <> > > >
然后是
strip_tags($string)
之后:
Hello < 30 < < < <> > > >
知道如何实现这一目标吗?
也许您甚至知道更好的方法。
你的问题很有趣,因此我花时间尝试 解决这个问题。我认为唯一的方法就是分几步完成:
第一步是删除 HTML 注释。
下一步是尝试将所有 HTML 标记与常规标记相匹配 表达式以便将它们重写为另一种形式,替换
<
和 >
由其他字符组成,例如 [[
和 ]]
。
之后,您可以将
<
替换为 <
,将 >
替换为 >
。
我们将
[[tag attr="value"]]
和 [[/tag]]
替换为
原始 HTML 标签 <tag attr="value">
和 </tag>
。
strip_tags()
或者使用更安全、更灵活的库,例如
HTMLPurifier.
抱歉,由于我使用了 用于轻松编辑的 Nowdoc 字符串 :
<?php
define('LINE_LENGTH', 60);
// A regular expression to find HTML tags.
define('REGEX_HTML_TAG', <<<'END_OF_REGEX'
~
<(?!!--) # Opening of a tag, but not for HTML comments.
(?<tagcontent> # Capture the text between the "<" and ">" chars.
\s*/?\s* # Optional spaces, optional slash (for closing tags).
(?<tagname>[a-z]+\b) # The tag name.
(?<attributes> # The tag attributes. Handle a possible ">" in one of them.
(?:
(?<quote>["']).*?\k<quote>
| # Or
[^>] # Any char not beeing ">"
)*
)
\s*/?\s* # For self-closing tags such as <img .../>.
)
> # Closing of a tag.
~isx
END_OF_REGEX);
// A regular expression to find
define('REGEX_BRACKETED_TAG', <<<'END_OF_REGEX'
~
\[\[ # Opening of a bracketed tag.
(?<tagcontent> # Capture the text between the brackets.
.*?
)
\]\] # Closing of a bracketed tag.
~xs
END_OF_REGEX);
$html = <<<'END_OF_HTML'
<p> Hello < 30 </p> < < < <!-- Test --> <> > > >
<p><span class="icon icon-print">print</SPAN></p>
<LABEL for="firstname">First name:</LABEL>
<input required type="text" id="firstname" name="firstname" /><!-- with self-closing slash -->
<label for="age">Age:</label>
<INPut required type="number" id="age" name="age"><!-- without self-closing slash -->
Shit should not happen with malformed HTML --> <p id="paragraph-58">Isn't closed
Or something not opened </div>
Be carefull with ">" in tag attribute values (seems to be allowed unescaped):
<input type="password" pattern="(?!.*[><]).{8,}" name="password">
<abbr data-symbol=">" title="Greater than">gt</abbr>
<nav class="floating-nav">
<ul class="menu">
<li><a href="/">Home</a></li>
<li><a href="/contact">Contact</a></li>
</ul>
</nav>
Test with spaces: <
textarea id="text"
name="text"
class="decorative"
>Some text< / textarea>
END_OF_HTML;
/**
* Just to print a title or a step of the operations.
*
* @param string $text The text to print.
* @param bool $is_a_step If set to false then no step counter will be printed
* and incremented.
* @return void
*/
function printTitle($text, $is_a_step = true) {
static $counter = 1;
if ($is_a_step) {
print "\n\nSTEP $counter : $text\n";
$counter++;
} else {
print "\n\n$text\n";
}
print str_repeat('=', LINE_LENGTH) . "\n\n";
}
printTitle('Input HTML:', false);
print $html;
printTitle('Strip out HTML comments');
$output = preg_replace('/<!--.*?-->/', '', $html);
print $output;
printTitle('replace all HTML tags by [[tag]]');
// preg_replace() doesn't support named groups but pre_replace_callback() does, so we'll use $1.
$output = preg_replace(REGEX_HTML_TAG, '[[$1]]', $output);
print $output;
printTitle('replace all < and > by < and >');
$output = htmlspecialchars($output, ENT_HTML5); // ENT_HTML5 will leave single and double quotes.
print $output;
printTitle('replace back [[tag]] by <tag>');
$output = preg_replace(REGEX_BRACKETED_TAG, '<$1>', $output);
print $output;
printTitle('Strip the HTML tags with strip_tags()');
$output = strip_tags($output);
print $output;
// It seems that the crapy strip_tags() doesn't always manage it's job!!!
// So let's see if we find some left HTML tags.
printTitle('Check what strip_tags() did');
if (preg_match_all(REGEX_HTML_TAG, $output, $matches, PREG_SET_ORDER)) {
print "Oups! strip_tags() didn't clean up everything!\n";
print "Found " . count($matches) . " occurrences:\n";
foreach ($matches as $i => $match) {
$indented_match = preg_replace('/\r?\n/', '$0 ', $match[0]);
print '- match ' . ($i + 1) . " : $indented_match\n";
}
print "\n\nLet's try to do it ourselves, by replacing the matched tags by nothing.\n\n";
$output = preg_replace(REGEX_HTML_TAG, '', $output);
print $output;
}
else {
print "Ok, no tag found.\n";
}
您可以在这里运行它:https://onlinephp.io/c/17665
对于正则表达式,我使用
~
而不是通常的 /
界定模式和标志。这只是因为我们
然后可以使用斜杠而不在模式中转义它。
我还使用了
x
标志来表示 ex 倾向符号,这样我就可以
在我的模式中添加一些注释并写在几行上。
为了可读性和灵活性,我还使用了命名捕获 组,例如
(?<quote>)
,这样我们就没有索引,这
如果我们添加一些其他捕获组,则可能会移动。反向引用
使用 \k<quote>
而不是索引版本 \4
完成。
HTML5 似乎相当宽松,因为
>
字符似乎可以
放入属性值中而不用 >
替换它。我
假设这在过去是不允许的,现在“可以”提供帮助
用户在 pattern
字段上写入可读的 <input>
属性。我
添加了不允许您使用的密码字段的示例
使用 <
和 >
字符。这是为了展示如何在
正则表达式,通过接受带有单个或的属性
双引号值。
Input HTML:
============================================================
<p> Hello < 30 </p> < < < <!-- Test --> <> > > >
<p><span class="icon icon-print">print</SPAN></p>
<LABEL for="firstname">First name:</LABEL>
<input required type="text" id="firstname" name="firstname" /><!-- with self-closing slash -->
<label for="age">Age:</label>
<INPut required type="number" id="age" name="age"><!-- without self-closing slash -->
Shit should not happen with malformed HTML --> <p id="paragraph-58">Isn't closed
Or something not opened </div>
Be carefull with ">" in tag attribute values (seems to be allowed unescaped):
<input type="password" pattern="(?!.*[><]).{8,}" name="password">
<abbr data-symbol=">" title="Greater than">gt</abbr>
<nav class="floating-nav">
<ul class="menu">
<li><a href="/">Home</a></li>
<li><a href="/contact">Contact</a></li>
</ul>
</nav>
Test with spaces: <
textarea id="text"
name="text"
class="decorative"
>Some text< / textarea>
STEP 1 : Strip out HTML comments
============================================================
<p> Hello < 30 </p> < < < <> > > >
<p><span class="icon icon-print">print</SPAN></p>
<LABEL for="firstname">First name:</LABEL>
<input required type="text" id="firstname" name="firstname" />
<label for="age">Age:</label>
<INPut required type="number" id="age" name="age">
Shit should not happen with malformed HTML --> <p id="paragraph-58">Isn't closed
Or something not opened </div>
Be carefull with ">" in tag attribute values (seems to be allowed unescaped):
<input type="password" pattern="(?!.*[><]).{8,}" name="password">
<abbr data-symbol=">" title="Greater than">gt</abbr>
<nav class="floating-nav">
<ul class="menu">
<li><a href="/">Home</a></li>
<li><a href="/contact">Contact</a></li>
</ul>
</nav>
Test with spaces: <
textarea id="text"
name="text"
class="decorative"
>Some text< / textarea>
STEP 2 : replace all HTML tags by [[tag]]
============================================================
[[p]] Hello < 30 [[/p]] < < < <> > > >
[[p]][[span class="icon icon-print"]]print[[/SPAN]][[/p]]
[[LABEL for="firstname"]]First name:[[/LABEL]]
[[input required type="text" id="firstname" name="firstname" /]]
[[label for="age"]]Age:[[/label]]
[[INPut required type="number" id="age" name="age"]]
Shit should not happen with malformed HTML --> [[p id="paragraph-58"]]Isn't closed
Or something not opened [[/div]]
Be carefull with ">" in tag attribute values (seems to be allowed unescaped):
[[input type="password" pattern="(?!.*[><]).{8,}" name="password"]]
[[abbr data-symbol=">" title="Greater than"]]gt[[/abbr]]
[[nav class="floating-nav"]]
[[ul class="menu"]]
[[li]][[a href="/"]]Home[[/a]][[/li]]
[[li]][[a href="/contact"]]Contact[[/a]][[/li]]
[[/ul]]
[[/nav]]
Test with spaces: [[
textarea id="text"
name="text"
class="decorative"
]]Some text[[ / textarea]]
STEP 3 : replace all < and > by < and >
============================================================
[[p]] Hello < 30 [[/p]] < < < &#60;> > > >
[[p]][[span class="icon icon-print"]]print[[/SPAN]][[/p]]
[[LABEL for="firstname"]]First name:[[/LABEL]]
[[input required type="text" id="firstname" name="firstname" /]]
[[label for="age"]]Age:[[/label]]
[[INPut required type="number" id="age" name="age"]]
Shit should not happen with malformed HTML --> [[p id="paragraph-58"]]Isn't closed
Or something not opened [[/div]]
Be carefull with ">" in tag attribute values (seems to be allowed unescaped):
[[input type="password" pattern="(?!.*[><]).{8,}" name="password"]]
[[abbr data-symbol=">" title="Greater than"]]gt[[/abbr]]
[[nav class="floating-nav"]]
[[ul class="menu"]]
[[li]][[a href="/"]]Home[[/a]][[/li]]
[[li]][[a href="/contact"]]Contact[[/a]][[/li]]
[[/ul]]
[[/nav]]
Test with spaces: [[
textarea id="text"
name="text"
class="decorative"
]]Some text[[ / textarea]]
STEP 4 : replace back [[tag]] by <tag>
============================================================
<p> Hello < 30 </p> < < < &#60;> > > >
<p><span class="icon icon-print">print</SPAN></p>
<LABEL for="firstname">First name:</LABEL>
<input required type="text" id="firstname" name="firstname" />
<label for="age">Age:</label>
<INPut required type="number" id="age" name="age">
Shit should not happen with malformed HTML --> <p id="paragraph-58">Isn't closed
Or something not opened </div>
Be carefull with ">" in tag attribute values (seems to be allowed unescaped):
<input type="password" pattern="(?!.*[><]).{8,}" name="password">
<abbr data-symbol=">" title="Greater than">gt</abbr>
<nav class="floating-nav">
<ul class="menu">
<li><a href="/">Home</a></li>
<li><a href="/contact">Contact</a></li>
</ul>
</nav>
Test with spaces: <
textarea id="text"
name="text"
class="decorative"
>Some text< / textarea>
STEP 5 : Strip the HTML tags with strip_tags()
============================================================
Hello < 30 < < < &#60;> > > >
print
First name:
Age:
Shit should not happen with malformed HTML --> Isn't closed
Or something not opened
Be carefull with ">" in tag attribute values (seems to be allowed unescaped):
gt
Home
Contact
Test with spaces: <
textarea id="text"
name="text"
class="decorative"
>Some text< / textarea>
STEP 6 : Check what strip_tags() did
============================================================
Oups! strip_tags() didn't clean up everything!
Found 2 occurrences:
- match 1 : <
textarea id="text"
name="text"
class="decorative"
>
- match 2 : < / textarea>
Let's try to do it ourselves, by replacing the matched tags by nothing.
Hello < 30 < < < &#60;> > > >
print
First name:
Age:
Shit should not happen with malformed HTML --> Isn't closed
Or something not opened
Be carefull with ">" in tag attribute values (seems to be allowed unescaped):
gt
Home
Contact
Test with spaces: Some text
如您所见,
strip_tags()
不处理标签周围的空格
name,我发现它完全不安全!这就是为什么我建议
使用诸如 HTMLPurifier 之类的库或
DOM 解析器。